Black Kingdom ransomware begins appearing on Exchange servers
Tags
country: Germany
attack-pattern: Data Control Panel - T1218.002 Ip Addresses - T1590.005 Powershell - T1059.001 Python - T1059.006 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Vulnerabilities - T1588.006 Powershell - T1086
Show in Graph
Common Information
Type Value
UUID ccdd1a51-b79e-4299-b9f7-48e1998e44f7
Fingerprint a730a8d1a617b65f
Analysis status DONE
Considered CTI value 0
Text language
Published March 23, 2021, 10:08 p.m.
Added to db Sept. 26, 2022, 9:30 a.m.
Last updated Nov. 17, 2024, 5:54 p.m.
Headline Black Kingdom ransomware begins appearing on Exchange servers
Title Black Kingdom ransomware begins appearing on Exchange servers
Detected Hints/Tags/Attributes 40/2/16
Source URLs
Redirection Url
Details Source https://news.sophos.com/en-us/2021/03/23/black-kingdom/
Details Source https://news.sophos.com/en-us/2021/03/23/black-kingdom/?cmp=30728
URL Provider
Details Provider Source level domain
Details sophos.com news.sophos.com
Attributes
Details Type #Events CTI Value
Details CVE 126 
cve-2021-27065
Details Domain 5 
yuuuuu44.com
Details Domain 5 
nasa.gov
Details Domain 2 
0xfff.py
Details Domain 24 
mega.io
Details File 1 
chacklogspl.aspx
Details File 1 
ckpasspl.aspx
Details File 1 
hackidio.aspx
Details File 128 
w3wp.exe
Details File 1 
c:\windows\system32\ojkgrctxslnbazd.exe
Details File 2 
0xfff.py
Details File 6 
decrypt_file.txt
Details md5 1 
eebf143cf615ecbe2ede01527f8178b3
Details IPv4 4 
185.220.101.204
Details IPv4 2 
185.220.101.216
Details Url 3 
http://yuuuuu44.com/vpn-service